OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Finishing Configuration of Access Server

Once the program is installed it will automatically configure itself with some standard settings.

The installation process will also tell you where to find the client web service, which is the web based GUI that you can use to log on and connect to the Access Server, and where to find the admin web service, which is where you can log on as an administrative user and manage the configuration, certificate, users, etcetera, in the web based GUI.

Usually the client UI is at the address of your server, for example https://192.168.70.222/. The admin UI is usually at the /admin/ address, for example https://192.168.70.222/admin/. Please note that the web services by default actually run on port TCP 943, so you can visit them at https://192.168.70.222:943/ and https://192.168.70.222:943/ as well. The OpenVPN TCP daemon that runs on TCP port 443 redirects incoming browser requests so that it is slightly easier for users to open the web interface.

Initially a single administrative user is added to the system. But it has no password set and therefore cannot be used yet. To use it a password must be set first:

passwd openvpn

You can now point your web browser at the admin UI web interface. Because the Access Server comes with a self-signed SSL certificate to begin with, you will receive a warning in the browser like “Invalid certificate" or “Cannot verify identity of the server". You will have to confirm that you wish to continue to the web interface. You will then see the login screen and you can then enter the username openvpn and the password you have just set with the “passwd openvpn" command.

Once you are logged in to the Admin UI you can select which authentication system to use. The available choices are local, PAM, RADIUS, and LDAP. The default is PAM and this means that user accounts must be present in the operating system in order to be able to log on to the Access Server. You can also use another external system like RADIUS or LDAP server, for example to connect to a Windows Server Active Directory using an LDAP or RADIUS connector. If you do that we recommend that you use LDAP for best results.

If you are managing only a limited amount of users and don’t want things to be too complicated the recommendation is to switch the authentication system to local mode. You can then use the User Permissions screen in the web interface to add/remove users and set passwords and access control rules for them.

Almost everything can then be configured purely from the Admin UI, although some advanced options are only available in the command line tools. We recommend that if you choose to use PAM that you look at the command line authentication options documentation specifically to learn how to add/remove users and manage passwords.

Further documentation is available elsewhere on our website to configure specific functions and configuration options for the OpenVPN Access Server.

Share